Russian threat actor Cozy Bear has unleashed a highly targeted and sophisticated malicious campaign, targeting over 100 organizations in critical sectors, Microsoft warns. The attackers send carefully crafted emails to trick users into opening a Remote Desktop Protocol (RDP) configuration file, leading to compromise.
The new campaign has been in action since October 22nd, 2024. More than a thousand users in over 100 organizations received phishing emails with lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust.
Cozy Bear attempted to add credibility to their malicious messages by impersonating Microsoft employees.
Their goal was to lure victims into opening a signed RDP configuration file that connected to a hacker-controlled server. This file summarizes the automatic settings and resource mappings established when a successful connection to an RDP server occurs.
“The use of a signed RDP configuration file to gain access to the targets’ devices represents a novel access vector for this actor,” the Microsoft Threat Intelligence team said in a report.
Microsoft warns that the malicious RDP attachments contained several sensitive settings that would lead to significant information exposure.
“Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards.”
Attackers can exploit this access to install malware or additional tools, such as remote access trojans, to maintain access even when the RDP session is closed.
Cozy Bear, known as APT29 and labeled Midnight Blizzard by Microsoft, is a Russian threat actor attributed to Russia’s Foreign Intelligence Service (SVR). This notorious and highly sophisticated threat actor primarily focuses on intelligence collection and usually targets government agencies, diplomating entities, NGOs, and IT service providers, primarily in the US and Europe.
The likely goal of the ongoing campaign is intelligence collection. The Government Computer Emergency Response Team of Ukraine (CERT-UA) has reported overlapping activity. Amazon has also identified malicious internet domains abused by Cozy Bear.
“Their targets were associated with government agencies, enterprises, and militaries, and the phishing campaign was apparently aimed at stealing credentials from Russian adversaries,” Amazon said. “We immediately initiated the process of seizing the domains APT29 was abusing, which impersonated AWS in order to interrupt the operation.”
Microsoft recommends using firewalls, multi-factor authentication, phishing-resistant authentication methods, strengthened endpoint security, and antivirus configurations, among other mitigation measures.
Your email address will not be published. Required fields are markedmarked